If you’re a HIPAA-covered entity or business associate, you probably already know you are subject to the authority of the Department of Health and Human Services, Office for Civil Rights (HHS).
What you probably don’t know is that you may also be subject to the authority of the Federal Trade Commission (FTC) for breaches of electronic information. While the FTC has not yet provided any formal guidance to help companies determine if their data security plans comply with the FTC Act, there are some best practices around data security that comply with HIPAA which should better position you with the FTC.
Case in Point
The FTC issued an administrative complaint in 2013 against LabMD Inc., a medical testing laboratory, alleging that the company failed to reasonably protect sensitive consumer data.
Specifically, the FTC pointed out that a LabMD spreadsheet containing information on more than 9,000 customers was found on a peer-to-peer file sharing network. The spreadsheet included names, Social Security numbers, health insurance provider information and standardized medical treatment codes. The complaint further alleged that LabMD did not:
- implement or maintain a comprehensive data security program to protect sensitive consumer information
- use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to sensitive consumer information
- use adequate measures to prevent employees from accessing personal information not needed to perform their jobs
- adequately train employees on basic security practices
- require employees, or other users with remote access to the networks, to use common authentication-related security measures, such as periodically changing passwords
- maintain and update operating systems of computers and other devices on its networks
- use readily available measures to prevent and detect unauthorized access to personal information
LabMD’s Reaction & Result In response, LabMD filed a motion to dismiss the complaint on several grounds, including that the FTC has no authority under Section 5 of the FTC Act, and, alternatively, even if it has authority under Section 5, Congress granted HHS the exclusive authority to regulate and enforce data security standards for HIPAA covered entities. The FTC did not find LabMd’s arguments persuasive and rejected LabMD’s motion to dismiss.
For Consideration Now might be a good time to review your business’s current encryption practices and other data security measures. Or, actually, your entire compliance program. Staying on the safe side with HIPAA will likely ensure you do the same with the FTC.
Further Reading Copies of the pleadings, orders and press releases can be found at: http://www.ftc.gov/enforcement/cases-proceedings/102-3099/labmd-inc-matter